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1.The Chief Technology Officer of a local college would like visitors to utilize the 
school's WiFi but must be able to associate potential malicious activity to a specific 
person. 

Which of the following would BEST allow this objective to be met? 

A. Requiring all new, on-site visitors to configure their devices to use WPS 

B. Implementing a new SSID for every event hosted by the college that has visitors 
C. Creating a unique PSK for every visitor when they arrive at the reception area 
D. Deploying a captive portal to capture visitors' MAC addresses and names 
Answer: D 

Explanation: 

A captive portal is a web page that requires visitors to authenticate or agree to an 
acceptable use policy before allowing access to the network. By capturing visitors’ 
MAC addresses and names, potential malicious activity can be traced lack toa 
specific person. Re 


2.The security team received a report of copyright infringeraént from the IP space of 
X 

the corporate network. The report provided a precise tiestamp for the incident as 

well as the name of the copyrighted files. The analys fas been tasked with 

determining the infringing source machine and instg&cted to implement measures to 

prevent such incidents from occurring again. s 

Which of the following is MOST capable of a@éomplishing both tasks? 

A. HIDS È 


B. Allow list ae 
C. TPM $ 

D. NGFW Z 
Answer: D o 
Explanation: $ 


Next-Generation Firewalls* NGFWs) are designed to provide advanced threat 
protection by combining traditional firewall capabilities with intrusion prevention, 
application control,.@nd other security features. NGFWs can detect and block 
unauthorized acgéss attempts, malware infections, and other suspicious activity. They 
can also be us&d to monitor file access and detect unauthorized copying or 
distribution of copyrighted material. 

A next-generation firewall (NGFW) can be used to detect and prevent copyright 
infringement by analyzing network traffic and blocking unauthorized transfers of 
copyrighted material. Additionally, NGFWs can be configured to enforce access 
control policies that prevent unauthorized access to sensitive resources. 


3.A security administrator is setting up a SIEM to help monitor for notable events 
across the enterprise. 
Which of the following control types does this BEST represent? 


A. Preventive 

B. Compensating 

C. Corrective 

D. Detective 

Answer: D 

Explanation: 

A SIEM is a security solution that helps detect security incidents by monitoring for 
notable events across the enterprise. A detective control is a control that is designed 
to detect security incidents and respond to them. Therefore, a SIEM represents a 
detective control. 


4. Asystems engineer is building a new system for production. A 

Which of the following is the FINAL step to be performed prior to praoting to 

production? 

A. Disable unneeded services. © 

B. Install the latest security patches. F 
X 

C. Run a vulnerability scan. s 

D. Encrypt all disks. 

Answer: C 

Explanation: or 

Running a vulnerability scan is the final step ibe performed prior to promoting a 

system to production. This allows any remaining security issues to be identified and 

resolved before the system is put into peSduction. 
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5.A security analyst is reviewingthe vulnerability scan report for a web server 
following an incident. The vuinerability that was used to exploit the server is present in 
historical vulnerability scan reports, and a patch is available for the vulnerability. 
Which of the following the MOST likely cause? 

A. Security patchegwere uninstalled due to user impact. 

B. An adversary aered the vulnerability scan reports 

C. A zero-day Vulnerability was used to exploit the web server 

D. The scan reported a false negative for the vulnerability 

Answer: A 

Explanation: 

A security patch is a software update that fixes a vulnerability or bug that could be 
exploited by attackers. Security patches are essential for maintaining the security and 
functionality of systems and applications. 

If the vulnerability that was used to exploit the server is present in historical 
vulnerability scan reports, and a patch is available for the vulnerability, it means that 
the patch was either not applied or was uninstalled at some point. A possible reason 
for uninstalling a security patch could be user impact, such as performance 


degradation, compatibility issues, or functionality loss. 

The other options are not correct because: 

B. An adversary altered the vulnerability scan reports. This could be a possibility, but 
it is less likely than option 

A. An adversary would need to have access to the vulnerability scan reports and be 
able to modify them without being detected. 

Moreover, altering the reports would not prevent the patch from being applied or 
uninstalled. 

C. A zero-day vulnerability was used to exploit the web server. This is not correct 
because a zero-day vulnerability is a vulnerability that is unknown to the public or the 
vendor, and therefore has no patch available. The question states that a patch is 
available for the vulnerability that was used to exploit the server. 

D. The scan reported a false negative for the vulnerability. This is not gerrect because 
a false negative is when a scan fails to detect a vulnerability that is sFesent. The 
question states that the vulnerability is present in historical eee scan reports, 
which means that it was detected by previous scans. 

According to CompTIA Security+ SYO-601 Exam Objectives « 4 Given a scenario, 
analyze potential indicators to determine the type of attack: 

“A security patch is a software update that fixes a vuļg&řability or bug that could be 
exploited by attackers.” P 

References: <| 

https:/www.comptia. org/certifications/security#examdetails 

httos://www.comptia. org/content/guides/cemptia- security-sy0-601-exam-objectives 
httos://www.getastra. a cuir a il scanning-report/ 
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6.A company wants to modify ie current backup strategy to modify its current backup 
strategy to minimize the nuper of backups that would need to be restored in case of 
data loss. y 

Which of the following.#vould be the BEST backup strategy 

A. Incremental backeps followed by differential backups 

B. Full backups f feflowed by incremental backups 

C. Delta backups followed by differential backups 

D. Incremental backups followed by delta backups 

E. Full backup followed by different backups 

Answer: B 

Explanation: 

The best backup strategy for minimizing the number of backups that need to be 
restored in case of data loss is full backups followed by incremental backups. This 
strategy allows for a complete restoration of data by restoring the most recent full 
backup followed by the most recent incremental backup. 


7.A network engineer and a security engineer are discussing ways to monitor network 
operations. 

Which of the following is the BEST method? 

A. Disable Telnet and force SSH. 

B. Establish a continuous ping. 

C. Utilize an agentless monitor 

D. Enable SNMPv3 With passwords. 

Answer: C 

Explanation: 

An agentless monitor is the best method to monitor network operations because it 
does not require any software or agents to be installed on the devices being 
monitored, making it less intrusive and less likely to disrupt network operations. This 
method can monitor various aspects of network operations, such as traffic, 
performance, and security. ve 
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8.An enterprise needs to keep cryptographic keys in a safegtianner. 
Which of the following network appliances can achieve tf goal? 
A. HSM 7 
B. CASB a 
C. TPM <| 
D. DLP y 
Answer: A > 
Explanation: Ka 
Hardware Security Module (HSM) is.@ network appliance designed to securely store 

0 l . À 
cryptographic keys and perform GAyptographic operations. HSMs provide a secure 
environment for key management and can be used to keep cryptographic keys safe 
from theft, loss, or unauthogiged access. Therefore, an enterprise can achieve the 
goal of keeping cryptographic keys in a safe manner by using an HSM appliance. 

A 
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9.A security admifistrator wants to implement a program that tests a user's ability to 
recognize attacks over the organization's email system. 
Which of the following would be BEST suited for this task? 
A. Social media analysis 
B. Annual information security training 
C. Gamification 
D. Phishing campaign 
Answer: D 
Explanation: 
A phishing campaign is a simulated attack that tests a user's ability to recognize 
attacks over the organization's email system. Phishing campaigns can be used to 
train users on how to identify and report suspicious emails. 


10.A new vulnerability in the SMB protocol on the Windows systems was recently 
discovered, but no patches are currently available to resolve the issue. The security 
administrator is concerned tf servers in the company's DMZ will be vulnerable to 
external attack; however, the administrator cannot disable the service on the servers, 
as SMB is used by a number of internal systems and applications on the LAN. 
Which of the following TCP ports should be blocked for all external inbound 
connections to the DMZ as a workaround to protect the servers? (Select TWO). 
A. 135 
B. 139 
C. 143 
D. 161 A 
E. 443 v 
F. 445 RY 
Answer: B,F © 
Explanation: E 
To protect the servers in the company’s DMZ from extereél attack due to the new 
vulnerability in the SMB protocol on the Windows systems, the security administrator 
should block TCP ports 139 and 445 for all externasinbound connections to the DMZ. 
SMB uses TCP port 139 and 445. Blocking these ports will prevent external attackers 
from exploiting the vulnerability in SMB protogél on Windows systems. 
Blocking TCP ports 139 and 445 for all extérnal inbound connections to the DMZ can 
help protect the servers, as these port fe used by SMB protocol. Port 135 is also 
associated with SMB, but it is not on used. Ports 143 and 161 are associated 
with other protocols and services, 
o 
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11.As part of annual augitYequirements, the security team performed a review of 
exceptions to the company policy that allows specific users the ability to use USB 
storage devices ondheir laptops. 
The review yielded the following results. 
e The exception | process and policy have been correctly followed by the majority of 
users 
e A small number of users did not create tickets for the requests but were granted 
access 
e All access had been approved by supervisors. 
e Valid requests for the access sporadically occurred across multiple departments. 
e Access, in most cases, had not been removed when it was no longer needed 
Which of the following should the company do to ensure that appropriate access is 
not disrupted but unneeded access is removed in a reasonable time frame? 
A. Create an automated, monthly attestation process that removes access if an 
employee's supervisor denies the approval 


B. Remove access for all employees and only allow new access to be granted if the 
employee's supervisor approves the request 
C. Perform a quarterly audit of all user accounts that have been granted access and 
verify the exceptions with the management team 
D. Implement a ticketing system that tracks each request and generates reports listing 
which employees actively use USB storage devices 
Answer: A 
Explanation: 
According to the CompTIA Security+ SY0O-601 documents, the correct answer option 
is A. Create an automated, monthly attestation process that removes access if an 
employee’s supervisor denies the approval1 2. 
This option ensures that appropriate access is not disrupted but unneeded access is 
removed in a reasonable time frame by requiring supervisors to approye or deny the 
exceptions on a regular basis. It also reduces the manual workload.¢f the security 
team and improves the compliance with the company policy. $ 
e~ 
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12.Which of the following describes a maintenance metgidthat measures the average 
time required to troubleshoot and restore failed equipsfent? 
A. RTO P 
B. MTBF E| 
C. MTTR y 
D. RPO > 
Answer: C 
Explanation: Se 
Mean Time To Repair (MTTR) is # maintenance metric that measures the average 
time required to troubleshoot anà restore failed equipment. 
<f 
S 
13.Which of the followifg isa risk that is specifically associated with hesting 
applications iin the public cloud? 
A. Unsecured rogfaccounts 
B. Zero day © 
C. Shared tenancy 
D. Insider threat 
Answer: C 
Explanation: 
When hosting applications in the public cloud, there is a risk of shared tenancy, 
meaning that multiple organizations are sharing the same infrastructure. This can 
potentially allow one tenant to access another tenant's data, creating a security risk. 


14.The technology department at a large global company is expanding its Wi-Fi 


network infrastructure at the headquarters building. 
Which of the following should be closely coordinated between the technology, 
cybersecurity, and physical security departments? 
A. Authentication protocol 
B. Encryption type 
C. WAP placement 
D. VPN configuration 
Answer: C 
Explanation: 
WAP stands for wireless access point, which is a device that allows wireless devices 
to connect to a wired network using Wi-Fi or Bluetooth. WAP placement refers to 
where and how WAPs are installed in a building or area. 
WAP placement should be closely coordinated between the technology, 
cybersecurity, and physical security departments because it y (ciel aspects of 
network performance and security, such as: Ka 
? Coverage: WAP placement determines how well wireless devices can access the 
network throughout the building or area. WAPs should be ced in locations that 
provide optimal signal strength and avoid interference froi other sources. 
? Capacity: WAP placement determines how many witless devices can connect to 
the network simultaneously without affecting network speed or quality. WAPs should 
be placed in locations that balance network loagbéind avoid congestion or bottlenecks. 
? Security: WAP placement determines how véllnerable wireless devices are to 
eavesdropping or hacking attacks from outside or inside sources. WAPs should be 
placed in locations that minimize expose to unauthorized access and maximize 
encryption and authentication methods. 
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15.A company uses a drong,for precise perimeter and boundary monitoring. 
Which of the following a be MOST concerning to the company? 
A. Privacy sf 
B. Cloud storage ofselemetry data 
C. GPS spoofings® 
D. Weather evénts 
Answer: A 
Explanation: 
The use of a drone for perimeter and boundary monitoring can raise privacy 
concerns, as it may capture video and images of individuals on or near the monitored 
premises. The company should take measures to ensure that privacy rights are not 
violated. 


16.An organization wants to enable built-in FDE on all laptops. 
Which of the following should the organization ensure is Installed on all laptops? 


A. TPM 

B. CA 

C. SAML 

D. CRL 

Answer: A 

Explanation: 

The organization should ensure that a Trusted Platform Module (TPM) is installed on 
all laptops in order to enable built-in Full Disk Encryption (FDE). TPM is a hardware- 
based security chip that stores encryption keys and helps to protect data from 
malicious attacks. It is important to ensure that the TPM is properly configured and 
enabled in order to get the most out of FDE. 
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17.A security analyst is running a vulnerability scan to check for mi ng patches 
during a suspected security rodent During which of the following.ghases of the 
response process is this activity MOST likely occurring? a 
A. Containment Ca 
B. Identification ee 
C. Recovery 
D. Preparation os 
Answer: B <| 
Explanation: O 
Vulnerability scanning is a proactive security measure used to identify vulnerabilities 


in the network and systems. sÙ 


18.A desktop support techniciaf*recently installed a new document-scanning software 
program on a computer. However, when the end user tried to launch the program, it 
did not respond. Se 

Which of the following MOST likely the cause? 

A. A new firewall rye is needed to access the application. 

B. The system was quarantined for missing software updates. 

C. The softwar was not added to the application whitelist. 

D. The system was isolated from the network due to infected software 

Answer: C 

Explanation: 

The most likely cause of the document-scanning software program not responding 
when launched by the end user is that the software was not added to the application 
whitelist. An application whitelist is a list of approved software applications that are 
allowed to run on a system. If the software is not on the whitelist, it may be blocked 
from running by the system's security policies. Adding the software to the whitelist 
should resolve the issue and allow the program to run. 

References: https://www.techopedia.com/definition/3 1541 /application-whitelisting 


19.Which of the following is required in order for an IDS and a WAF to be effective on 
HTTPS traffic? 

A. Hashing 

B. DNS sinkhole 

C. TLS inspection 

D. Data masking 

Answer: C 

Explanation: 

an IDS (Intrusion Detection System) and a WAF (Web Application Firewall) are both 
used to monitor and protect web applications from common attacks such as cross-site 
scripting and SQL injection12. However, these attacks can also be hidglen in 
encrypted HTTPS traffic, which uses the TLS (Transport Layer Sequtity) protocol to 
provide cryptography and authentication between two communicating applications34. 
Therefore, in order for an IDS and a WAF to be effective on HETPS traffic, they need 
to be able to decrypt and inspect the data that flows in the eS tunnel. This is 
achieved by using a feature called TLS inspection345, wich creates two dedicated 
TLS connections: one with the web server and anothefwith the client. The firewall 
then uses a customer-provided CA (Certificate Authority) certificate to generate an on- 
the-fly certificate that replaces the web server certificate and shares it with the client. 
This way, the firewall can see the content of ie HTTPS traffic and apply the IDS and 
WAF rules accordingly34. > 
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20.Which of the following environgrents typically hosts the current version 
configurations and code, compéafes user-story responses and workflow, and uses a 


modified version of actual de for testing? 


A. Development Ss 
B. Staging sf 
C. Production ar 

D. Test 
Answer: B 9 
Explanation: 


Staging is an environment in the software development lifecycle that is used to test a 
modified version of the actual data, current version configurations, and code. This 
environment compares user-story responses and workflow before the software is 
released to the production environment. 


21.After a WiFi scan of a local office was conducted, an unknown wireless signal was 
identified Upon investigation, an unknown Raspberry Pi device was found connected 
to an Ethernet port using a single connection. 


Which of the following BEST describes the purpose of this device? 

A. loT sensor 

B. Evil twin 

C. Rogue access point 

D. On-path attack 

Answer: C 

Explanation: 

A Raspberry Pi device connected to an Ethernet port could be configured as a rogue 
access point, allowing an attacker to intercept and analyze network traffic or perform 
other malicious activities. 


22.During an investigation, the incident response team discovers that pultiple 
administrator accounts were suspected of being compromised. Th Ost audit logs 
indicate a repeated brute-force attack on a single administrator gount followed by 
suspicious logins from unfamiliar geographic locations. E 
Which of the following data sources would be BEST to usę4 assess the accounts 
impacted by this attack? $ 
A. User behavior analytics 
B. Dump files 
C. Bandwidth monitors <| 
D. Protocol analyzer output g 
Answer: A > 
Explanation: od 
User behavior analytics (UBA) woulgdbe the best data source to assess the accounts 
impacted by the attack, as it can idéntify abnormal activity, such as repeated brute- 
force attacks and logins from uAfamiliar geographic locations, and provide insights 
into the behavior of the impaéted accounts. 
S 
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23.A security analyst needs an overview of vulnerabilities for a host on the network. 
Which of the follawing i is the BEST type of scan for the analyst to run to discover 
which vulnerabte services are running? 
A. Non-credentialed 
B. Web application 
C. Privileged 
D. Internal 
Answer: C 
Explanation: 
Privileged scanning, also known as credentialed scanning, is a type of vulnerability 
scanning that uses a valid user account to log in to the target host and examine 
vulnerabilities from a trusted user’s perspective. It can provide more accurate and 
comprehensive results than unprivileged scanning, which does not use any 


credentials and only scans for externally visible vulnerabilities. 


24.An attacker replaces a digitally signed document with another version that goes 
unnoticed Upon reviewing the document's contents the author notices some 
additional verbiage that was not originally in the document but cannot validate an 
integrity issue. 

Which of the following attacks was used? 

A. Cryptomalware 

B. Hash substitution 


C. Collision 
D. Phishing 
Answer: B F- 
Explanation: Ki 


This type of attack occurs when an attacker replaces a digitally signed document with 
another version that has a different hash value. The author wotild be able to notice 
the additional verbiage, however, since the hash value woul have changed, they 


would not be able to validate an integrity issue. ve 
© 
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25.The help desk has received calls from users jf multiple locations who are unable 
to access core network services The networkfeam has identified and turned off the 
network switches using remote commands> 
Which of the following actions should network team take NEXT? 
A. Disconnect all external network connections from the firewall 

Xe) ‘ . 

B. Send response teams to the ngtwork switch locations to perform updates 
C. Turn on all the network switefies by using the centralized management software 
D. Initiate the organization'sMcident response plan. 
Answer: D Ss 
Explanation: sf 
An incident response plan is a set of procedures and guidelines that defines how an 
organization shoud respond to a security incident. An incident response plan typically 
includes the foffowing phases: preparation, identification, containment, eradication, 
recovery, and lessons learned. 
If the help desk has received calls from users in multiple locations who are unable to 
access core network services, it could indicate that a network outage or a denial-of- 
service attack has occurred. The network team has identified and turned off the 
network switches using remote commands, which could be a containment measure to 
isolate the affected devices and prevent further damage. 
The next action that the network team should take is to initiate the organization’s 
incident response plan, which would involve notifying the appropriate stakeholders, 
such as management, security team, legal team, etc., and following the predefined 
steps to investigate, analyze, document, and resolve the incident. 


The other options are not correct because: 

A. Disconnect all external network connections from the firewall. This could be 
another containment measure to prevent external attackers from accessing the 
network, but it would also disrupt legitimate network traffic and services. This action 
should be taken only if it is part of the incident response plan and after notifying the 
relevant parties. 

B. Send response teams to the network switch locations to perform updates. This 
could be a recovery measure to restore normal network operations and apply patches 
or updates to prevent future incidents, but it should be done only after the incident has 
been properly identified, contained, and eradicated. 

C. Turn on all the network switches by using the centralized management software. 
This could be a recovery measure to restore normal network operations, but it should 
be done only after the incident has been properly identified, contained sand 
eradicated. ev 
According to CompTIA Security+ SY0-601 Exam Objectives 1.5.Given a scenario, 
analyze indicators of compromise and determine the type of malware: 

“An incident response plan is a set of procedures and guidelines that defines how an 
organization should respond to a security incident. An inefdent response plan typically 
includes the following phases: preparation, identification, containment, eradication, 
recovery, and lessons learned.” Ss 
References: <| 
https:/www.comptia. org/certifications/security#examdetails 
https://www.comptia.org/content/guides/cgmptia- security-sy0-601-exam-objectives 
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26.When planning to build a vitugřenvironment, an administrator need to achieve the 
following, read 
e Establish polices in Limit 6 can create new VMs 
e Allocate resources accgsding to actual utilization’ 
e Require De Blase outside of the standard requirements. 
e Create standardizéd categories based on size and resource requirements 
Which of the follawing i is the administrator MOST likely trying to do? 
A. Implement IfaS replication 
B. Product against VM escape 
C. Deploy a PaaS 
D. Avoid VM sprawl 
Answer: D 
Explanation: 
The administrator is most likely trying to avoid VM sprawl, which occurs when too 
many VMs are created and managed poorly, leading to resource waste and increased 
security risks. The listed actions can help establish policies, resource allocation, and 
categorization to prevent unnecessary VM creation and ensure proper management. 


27. Acompany Is planning to install a guest wireless network so visitors will be able to 
access the Internet. The stakeholders want the network to be easy to connect to so 
time is not wasted during meetings. The WAPs are configured so that power levels 
and antennas cover only the conference rooms where visitors will attend meetings. 
Which of the following would BEST protect the company's Internal wireless network 
against visitors accessing company resources? 

A. Configure the guest wireless network to be on a separate VLAN from the 
company's internal wireless network 

B. Change the password for the guest wireless network every month. 

C. Decrease the power levels of the access points for the guest wireless network. 

D. Enable WPA2 using 802.1X for logging on to the guest wireless network. 

Answer: A A 

Explanation: KA 
Configuring the guest wireless network on a separate VLAN fromthe company's 
internal wireless network will prevent visitors from accessing gempany resources. 


Q2 
28.An analyst is working on an email security incide 468 which the target opened an 
attachment containing a worm. The analyst wants is Implement mitigation techniques 
to prevent further spread. we 
Which of the following is the BEST course of étion for the analyst to take? 

A. Apply a DLP solution. È 

B. Implement network segmentation Ka 

C. Utilize email content filtering, $ 

D. isolate the infected attachments" 

Answer: B o 

Explanation: Pl 
Network segmentation igghe BEST course of action for the analyst to take to prevent 
further spread of the m. Network segmentation helps to divide a network into 
smaller segments, isolating the infected attachment from the rest of the network. This 
helps to prevent $fe worm from spreading to other devices within the network. 
Implementing émail content filtering or DLP solution might help in preventing the 
email from reaching the target or identifying the worm, respectively, but will not stop 
the spread of the worm. 


29.A security engineer needs to create a network segment that can be used for 
servers thal require connections from untrusted networks. 

Which of the following should the engineer implement? 

A. An air gap 

B. A hot site 

C. A VUAN 


D. A screened subnet 

Answer: D 

Explanation: 

A screened subnet is a network segment that can be used for servers that require 
connections from untrusted networks. It is placed between two firewalls, with one 
firewall facing the untrusted network and the other facing the trusted network. This 
setup provides an additional layer of security by screening the traffic that flows 
between the two networks. 

References: CompTIA Security+ Certification Guide, Exam SY0-501 


30.A company was compromised, and a security analyst discovered the attacker was 
able to get access to a service account. S 

The following logs were discovered during the investigation: Ra 

User account ‘JHDoe’ does not a T 
User account ‘VMAdmin’ does not exist.. 
User account ‘tomcat’ wrong password... 


User account ‘Admin’ does not exist... 
oe 
gÍ 


Which of the following MOST likely would pave prevented the attacker from learning 
the service account name? eo 


A. Race condition testing = 
B. Proper error handling oe 
C. Forward web server logs to aSIEM 
D. Input sanitization se 

¢ 
Answer: D aS 
Explanation: e 


Input sanitization capthelp prevent attackers from learning the service account name 
by removing potestially harmful characters from user input, reducing the likelihood of 
successful injeetion attacks. 


31.A security researcher is tracking an adversary by noting its attacks and techniques 
based on its capabilities, infrastructure, and victims. 

Which of the following is the researcher MOST likely using? 

A. The Diamond Model of Intrusion Analysis 

B. The Cyber Kill Chain 

C. The MITRE CVE database 

D. The incident response process 

Answer: A 


Explanation: 

The Diamond Model is a framework for analyzing cyber threats that focuses on four 
key elements: adversary, capability, infrastructure, and victim. By analyzing these 
elements, security researchers can gain a better understanding of the threat 
landscape and develop more effective security strategies. 


32.Which of the following BEST describes data streams that are compiled through 
artificial intelligence that provides insight on current cyberintrusions, phishing, and 
other malicious cyberactivity? 

A. Intelligence fusion 

B. Review reports 

C. Log reviews 


O 
D. Threat feeds Ss 
Answer: A 
Explanation: 


Intelligence fusion is a process that involves aggregating andf’analyzing data from 
multiple sources, including artificial intelligence, to provigé insight on current 
cyberintrusions, phishing, and other malicious cyberagtivity. 
eF 
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33.As part of a company's ongoing SOC matyfation process, the company wants to 
implement a method to share cyberthreat, JAtelligence data with outside security 
partners. Ka 
Which of the following will the company MOST likely implement? 
A. TAXII x 
B. TLP 
C. TTP Poe 
D. STIX Se 
Answer: A sf 
Explanation: ar 
Trusted Automated Exchange of Intelligence Information (TAXII) is a standard 
protocol that effables the sharing of cyber threat intelligence between organizations. It 
allows organizations to automate the exchange of information in a secure and timely 
manner. 


34.An information security manager for an organization is completing a PCI DSS self- 
assessment for the first time. which of the is following MOST likely reason for this type 
of assessment? 

A. An international expansion project is currently underway. 

B. Outside consultants utilize this tool to measure security maturity. 

C. The organization is expecting to process credit card information. 


D. A government regulator has requested this audit to be completed 

Answer: C 

Explanation: 

PCI DSS (Payment Card Industry Data Security Standard) is a set of security 
standards designed to ensure that all companies that accept, process, store, or 
transmit credit card information maintain a secure environment. Any organization that 
accepts credit card payments is required to comply with PCI DSS. 


35.Which of the following should a technician consider when selecting an encryption 
method for data that needs to remain confidential for a specific length of time? 

A. The key length of the encryption algorithm 

B. The encryption algorithm's longevity 


O 
C. A method of introducing entropy into key calculations Ki 
D. The computational overhead of calculating the encryption keys 
Answer: B K 
Explanation: n 


When selecting an encryption method for data that needs‘to remain confidential for a 
specific length of time, the longevity of the encryption Algorithm should be considered 


to ensure that the data remains secure for the required period. 
ee 
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36.A customer has reported that an organization's website displayed an image of a 
smiley (ace rather than the expected @ page for a short time two days earlier. 


A security analyst reviews log tries and sees the following around the lime of the 


incident: g 


Which of the following is MOST likely occurring? 
A. Invalid trust chain 

B. Domain hijacking 

C. DNS poisoning 

D. URL redirection 

Answer: C 

Explanation: 


The log entry shows the IP address for "www.example.com" being changed to a 
different IP address, which is likely the result of DNS poisoning. DNS poisoning 
occurs when an attacker is able to change the IP address associated with a domain 
name in a DNS server's cache, causing clients to connect to the attacker's server 
instead of the legitimate server. 


37.Which of the following disaster recovery tests is the LEAST time consuming for the 
disaster 

recovery team? 

A. Tabletop 

B. Parallel 

C. Full interruption F- 

D. Simulation vy 

Answer: A we 

Explanation: © 
A tabletop exercise is a type of disaster recovery test that siffiulates a disaster 
scenario in a discussion-based format, without actually diérupting operations or 
requiring physical testing of recovery procedures. It isthe least time-consuming type 


of test for the disaster recovery team. es 
en 

C 
38.A security engineer is installing a WAF 40 protect the company's website from 
malicious web requests over SSL. Ka 
Which of the following is needed to weet the objective? 
A. A reverse proxy S 
B. A decryption certificate o 


C. A spill-tunnel VPN road 

D. Load-balanced serve[s* 

Answer: B sf 

Explanation: ar 

A Web Application? Firewall (WAF) is a security solution that protects web applications 
from various types of attacks such as SQL injection, cross-site scripting (XSS), and 
others. It is typically deployed in front of web servers to inspect incoming traffic and 
filter out malicious requests. 

To protect the company’s website from malicious web requests over SSL, a 
decryption certificate is needed to decrypt the SSL traffic before it reaches the WAF. 
This allows the WAF to inspect the traffic and filter out malicious requests. 


39.A systems analyst determines the source of a high number of connections to a 
web server that were initiated by ten different IP addresses that belong to a network 
block in a specific country. 


Which of the following techniques will the systems analyst MOST likely implement to 
address this issue? 

A. Content filter 

B. SIEM 

C. Firewall rules 

D. DLP 

Answer: C 

Explanation: 

A firewall is a network security system that monitors and controls incoming and 
outgoing network traffic based on predetermined security rules. The systems analyst 
can use firewall rules to block connections from the ten IP addresses in question, or 
from the entire network block in the specific country. This would be a quick and 
effective way to address the issue of high connections to the web server initiated by 
these IP addresses. ve 


4 
40.A company installed several crosscut shredders as parts increased information 
security practices targeting data leakage risks. ee 
Which of the following will this practice reduce? Pa 
A. Dumpster diving S 
B. Shoulder surfing e 
C. Information elicitation g 
D. Credential harvesting > 
Answer: A a 
Explanation: rs 
Crosscut shredders are used to destroy paper documents and reduce the risk of data 
leakage through dumpster divir. Dumpster diving is a method of retrieving sensitive 
information from paper wagta by searching through discarded documents. 
N 
a 
41.The Chief Executive Officer announced a new partnership with a strategic vendor 
and asked the Chief Information Security Officer to federate user digital identities 
using SAML-baSed protocols. 
Which of the following will this enable? 
A. SSO 
B. MFA 
C. PKI 
D. OLP 
Answer: A 
Explanation: 
Federating user digital identities using SAML-based protocols enables Single Sign-On 
(SSO), which allows users to log in once and access multiple applications without 
having to enter their credentials for each one. 


42.An organization's Chief Information Security Officer is creating a position that will 

be responsible for implementing technical controls to protect data, including ensuring 

backups are properly maintained. 

Which of the following roles would MOST likely include these responsibilities? 

A. Data protection officer 

B. Data owner 

C. Backup administrator 

D. Data custodian 

E. Internal auditor 

Answer: D 

Explanation: A 

The responsibilities of ensuring backups are properly maintained a ‘implementing 

technical controls to protect data are the responsibilities of the dafa custodian role. 
Fa 

43.As part of the building process for a web application, de compliance team requires 

that all PKI certificates are rotated annually and can opty contain wildcards at the 

secondary subdomain level. P 

Which of the following certificate properties will géet these requirements? 

A. HTTPS://.comptia.org, Valid from April 10 0:00:00 2021 - April 8 12:00:00 2022 

B. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021-April 8 12:00:00 

2022 È 

C. HTTPS:// app1.comptia.org, Valigřom April 10 00:00:00 2021-April 8 12:00:00 

2022 x 

D. HTTPS://.comptia.org, Valigatom April 10 00:00:00 2021 - April 8 12:00:00 

Answer: A roe 

Explanation: S 

PKI certificates are digital certificates that use public key infrastructure (PKI) to verify 

the identity and aujWenticity of a sender and a receiver of data1. PKI certificates can 

be used to secureweb applications with HTTPS, which is a protocol that encrypts and 

protects the data transmitted over the internet1. 

One of the properties of PKI certificates is the domain name, which is the name of 

thewebsite or web application that the certificate is issued for2. The domain name can 

be either a specific name, such as app1.comptia.org, or a wildcard name, such as 

* comptia.org2. A wildcard name means that the certificate can be used with multiple 

subdomains of a domain, such as payment.comptia.org or contact.comptia.org2. 

Another property of PKI certificates is the validity period, which is the time span during 

which the certificate is valid and can be used3. The validity period is determined by 

the certificate authority (CA) that issues the certificate, and it usually ranges from one 

to three years3. The validity period can be checked by looking at the valid from and 

valid to dates on the certificate3. 


Based on these properties, the certificate that will meet the requirements of rotating 
annually and only containing wildcards at the secondary subdomain level is A. 
HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022. 
This certificate has a wildcard character (*) at the secondary subdomain level, which 
means it can be used with any subdomain of comptia.org2. It also has a validity 
period of one year, which means it needs to be rotated annually3. 


44.A company would like to provide flexibility for employees on device preference. 
However, the company is concerned about supporting too many different types of 
hardware. 
Which of the following deployment models will provide the needed flexibility with the 
GREATEST amount of control and security over company data and infyastructure? 
A. BYOD ve 
B. VDI RY 
C. COPE © 
D. CYOD ra 

X 
Answer: D C 
Explanation: GE 
Choose Your Own Device (CYOD) is a deploymensnode! that allows employees to 
select from a predefined list of devices. It provides employees with flexibility in device 
preference while allowing the company to majfitain control and security over company 
data and infrastructure. CYOD deploymenémodel provides a compromise between 
the strict control provided by Corporat Swned, Personally Enabled (COPE) 
deployment model and the UOMO I erviaee by Bring Your Own Device (BYOD) 
deployment model. 


45.Which of the following must be in place before implementing a BCP? 
A. SLA sf 


B. AUP yV 
C. NDA <S 
D. BIA 9 
Answer: D 
Explanation: 


A Business Impact Analysis (BIA) is a critical component of a Business Continuity 
Plan (BCP). It identifies and prioritizes critical business functions and determines the 
impact of their disruption. 


46.A Chief Information Officer is concerned about employees using company-issued 
laptops to steal data when accessing network shares. 
Which of the following should the company implement? 


A. DLP 

B. CASB 

C. HIDS 

D. EDR 

E. UEFI 

Answer: A 

Explanation: 

The company should implement Data Loss Prevention (DLP) to prevent employees 
from stealing data. 


47.The Chief Information Security Officer wants to pilot a new adaptive, user-based 
authentication method. The concept Includes granting logical access kased on 
physical location and proximity. $ 
Which of the following Is the BEST solution for the pilot? 
A. Geofencing K 
B. Self-sovereign identification Ka 
C. PKI certificates s 
D. SSO 
Answer: A 
Explanation: e 
Geofencing is a location-based technology that allows an organization to define and 
enforce logical access control policies baséd on physical location and proximity. 
Geofencing can be used to grant or resifict access to systems, data, or facilities 
based on an individual's location, ang tt can be integrated into a user's device or the 
infrastructure. S 
This makes it a suitable solutioA for the pilot project to test the adaptive, user-based 
authentication method that iséludes granting logical access based on physical 
location and proximity. .s* 
L 
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48.Which of the flowing BEST describes a social-engineering attack that relies on 
an executive afa small business visiting a fake banking website where credit card 
and account details are harvested? 
A. Whaling 
B. Spam 
C. Invoice scam 
D. Pharming 
Answer: A 
Explanation: 
A social engineering attack that relies on an executive at a small business visiting a 
fake banking website where credit card and account details are harvested is known 
as whaling. Whaling is a type of phishing attack that targets high-profile individuals, 


such as executives, to steal sensitive information or gain access to their accounts. 


49.A company recently experienced a major breach. An investigation concludes that 
customer credit card data was stolen and exfiltrated through a dedicated business 
partner connection to a vendor, who is not held to the same security contral 
standards. 

Which of the following is the MOST likely source of the breach? 

A. Side channel 

B. Supply chain 

C. Cryptographic downgrade 


D. Malware 
Answer: B 2 
Explanation: Ny 


A supply chain attack occurs when a third-party supplier or busingss partner is 
compromised, leading to an attacker gaining unauthorized acges to the targeted 
organization's network. In this scenario, the dedicated businéss partner connection to 
a vendor was used to exfiltrate customer credit card datas“indicating that the vendor's 


network was breached and used as a supply chain attack vector. 
a 
| S a 

50.During a security assessment, a security feds a file with overly permissive 
permissions. È 
Which of the following tools will allow t Panalyst to reduce the permission for the 
existing users and groups and remoye the set-user-ID from the file? 
A. 1s = 

> 
B. chflags œ 
C. chmod 
D. Isof y 
E. setuid L 

ó 

Answer: C ar 
Explanation: «$ 
The chmod command is used to change the permissions of a file or directory. The 
analyst can use chmod to reduce the permissions for existing users and groups and 
remove the set-user-ID bit from the file. 


51.During an incident a company CIRT determine it is necessary to observe the 
continued network-based transaction between a callback domain and the malware 
running on an enterprise PC. 

Which of the following techniques would be BEST to enable this activity while 
reducing the risk of lateral spread and the risk that the adversary would notice any 
changes? 


A. Physical move the PC to a separate internet pint of presence 

B. Create and apply micro segmentation rules. 

C. Emulate the malware in a heavily monitored DM Z segment. 

D. Apply network blacklisting rules for the adversary domain 

Answer: C 

Explanation: 

To observe the continued network-based transaction between a callback domain and 
the malware running on an enterprise PC while reducing the risk of lateral soread and 
the risk that the adversary would notice any changes, the best technique to use is to 
emulate the malware in a heavily monitored DMZ segment. This is a secure 
environment that is isolated from the rest of the network and can be heavily monitored 
to detect any suspicious activity. By emulating the malware in this environment, the 
activity can be observed without the risk of lateral spread or detection bY the 


adversary. ve 
References: https://www.sans.org/blog/incident-response- fundargentals- why-is-the- 
dmz-so-important/ ar 
fe) 
o% 
~ 
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52.During an incident, a company's CIRT determine jis necessary to observe the 
continued network-based transactions between a Gal back domain and the malware 
running on an enterprise PC. P 

Which of the following techniques would be BEŠT to enable this activity while 
reducing the nsk of lateral spread and thegtsk that the adversary would notice any 
changes? Ka 

A. Physically move the PC to a separate Internet point of presence. 

B. Create and apply micro segmezitation rules, 

C. Emulate the malware in a heavily monitored DMZ segment 

D. Apply network a A ee for the adversary domain 

Answer: C S 

Explanation: £ 

Emulating the malware i in a heavily monitored DMZ segment is the best option for 
observing netwogębased transactions between a callback domain and the malware 
running on an Enterprise PC. This approach provides an isolated environment for the 
malware to run, reducing the risk of lateral soread and detection by the adversary. 
Additionally, the DMZ can be monitored closely to gather intelligence on the 
adversary's tactics and techniques. 


53.Which of the following BEST describes the team that acts as a referee during a 
penetration-testing exercise? 

A. White team 

B. Purple team 

C. Green team 


D. Blue team 

E. Red team 

Answer: A 

Explanation: 

During a penetration testing exercise, the white team is responsible for acting as a 
referee and providing oversight and support to ensure that the testing is conducted 
safely and effectively. They may also be responsible for determining the rules and 
guidelines of the exercise, monitoring the progress of the teams, and providing 
feedback and insights on the strengths and weaknesses of the organization's security 
measures. 


54.A security engineer is hardening existing solutions to reduce application 
vulnerabilities. Ny 


AX 
Which of the following solutions should the engineer implement RAST? (Select TWO) 
A. Auto-update a 
B. HTTP headers Ca 
C. Secure cookies s 


D. Third-party updates 

E. Full disk encryption 

F. Sandboxing | 
G. Hardware encryption y 
Answer: A,F > 
Explanation: Ka 
Auto-update can help keep the app \p-to-date with the latest security fixes and 
enhancements, and reduce the risk of exploitation by attackers who target outdated or 
vulnerable versions of the app. 

Sandboxing can help isolatgsthe app from other processes and resources on the 
system, S 

and limit its access an@permissions to only what is necessary. Sandboxing can help 
prevent the app fran being affected by or affecting other applications or system 
components, angtontain any potential damage in case of a breach. 


55.A financial institution would like to store its customer data in a cloud but still allow 
the data to be accessed and manipulated while encrypted. Doing so would prevent 
the cloud service provider from being able to decipher the data due to its sensitivity. 
The financial institution is not concerned about computational overheads and slow 
speeds. 

Which of the following cryptographic techniques would BEST meet the requirement? 
A. Asymmetric 

B. Symmetric 

C. Homomorphic 


D. Ephemeral 

Answer: B 

Explanation: 

Symmetric encryption allows data to be encrypted and decrypted using the same key. 
This is useful when the data needs to be accessed and manipulated while still 
encrypted. 


56.An organization discovered a disgruntled employee exfiltrated a large amount of 
PII data by uploading files. 

Which of the following controls should the organization consider to mitigate this risk? 
A. EDR 


B. Firewall A 
C. HIPS ~ 
D. DLP RY 
Answer: D or 
Explanation: oe 


DLP stands for data loss prevention, which is a set of togi and processes that aim to 
prevent unauthorized access, use, or transfer of sensi ve data. DLP can help mitigate 
the risk of data exfiltration by disgruntled employees or external attackers by 
monitoring and controlling data flows across endpoints, networks, and cloud services. 
DLP can also detect and block attempts to capy, print, email, upload, or download 
sensitive data based on predefined policię®and rules. 
References: Ka 
https://www.comptia.org/certificationgs/security#examdetails 
https://www.comptia.org/content/git des/comptia-security-sy0-601-exam-objectives 
https://www.forcepoint.com/cyber-edu/data-loss-prevention-dlp 
Cae 
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57.A security administ@tor is working on a solution to protect passwords stored in a 
database against r ow table attacks. 
Which of the follawing should the administrator consider? 
A. Hashing 
B. Salting 
C. Lightweight cryptography 
D. Steganography 
Answer: B 
Explanation: 
Salting is a technique that adds random data to a password before hashing it. This 
makes the hash output more unique and unpredictable, and prevents attackers from 
using precomputed tables (such as rainbow tables) to crack the password hash. 
Salting also reduces the risk of collisions, which occur when different passwords 
produce the same hash. 


References: 

httos://www.comptia.org/certifications/security#examdetails 
httos://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives 
httos://authO.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/ 


58.Which of the following incident response steps occurs before containment? 

A. Eradication 

B. Recovery 

C. Lessons learned 

D. Identification 

Answer: D 

Explanation: A 
Identification is the first step in the incident response process, which fivolves 
recognizing that an incident has occurred. Containment is the segond step, followed 
by eradication, recovery, and lessons learned. a 


` 
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59.Employees at a company are receiving unsoliciteg s8xt messages on their 
corporate cell phones. The unsolicited text messages contain a password reset Link. 
Which of the attacks is being used to target the. e gőmpany? 

A. Phishing O 

B. Vishing È 

C. Smishing P? 

D. Spam $Ú 

Answer: C A 
Explanation: Piaf 
Smishing is a type of phishing attack which begins with an attacker sending a text 
message to an individuals he message contains social engineering tactics to 
convince the person tačlick on a malicious link or send sensitive information to the 
attacker. ar 

Criminals use smiShing attacks for purposes like: 

Learn login credentials to accounts via credential phishing 

Discover private data like social security numbers 

Send money to the attacker 

Install malware on a phone 

Establish trust before using other forms of contact like phone calls or emails 
Attackers may pose as trusted sources like a government organization, a person you 
know, or your bank. And messages often come with manufactured urgency and time- 
sensitive threats. This can make it more difficult for a victim to notice a scam. 

Phone numbers are easy to spoof with VoIP texting, where users can create a virtual 
number to send and receive texts. If a certain phone number is flagged for spam, 
criminals can simply recycle it and use a new one. 


60.Which of the following would MOST likely be identified by a credentialed scan but 
would be missed by an uncredentialed scan? 

A. Vulnerabilities with a CVSS score greater than 6.9. 

B. Critical infrastructure vulnerabilities on non-IP protocols. 

C. CVEs related to non-Microsoft systems such as printers and switches. 

D. Missing patches for third-party software on Windows workstations and servers. 
Answer: D 

Explanation: 

An uncredentialed scan would miss missing patches for third-party software on 
Windows workstations and servers. A credentialed scan, however, can scan the 
registry and file system to determine the patch level of third-party ons 


Ss 


61.one of the attendees starts to notice delays in the connectigñ. and the HTTPS site 
requests are reverting to HTTP. Ca 
Which of the following BEST describes what is happening? 
A. Birthday collision on the certificate key 
B. DNS hacking to reroute traffic 
C. Brute force to the access point <| 
D. A SSL/TLS downgrade g 
Answer: D > 
Explanation: Ka 
The scenario describes a Man-in sthedidale ( (MitM) attack where the attacker 
intercepts traffic and downgrades éfie secure SSL/TLS connection to an insecure 
HTTP connection. This type of @tack is commonly known as SSL/TLS downgrade 
attack or a stripping attack. fie attacker is able to see and modify the communication 
between the client and gever. 
3 

V 
62.Which of the following biometric authentication methods is the MOST accurate? 
A. Gait 
B. Retina 
C. Signature 
D. Voice 
Answer: B 
Explanation: 
Retina authentication is the most accurate biometric authentication method. Retina 
authentication is based on recognizing the unique pattern of blood vessels and other 
features in the retina. This makes it virtually impossible to duplicate or bypass, making 
it the most secure form of biometric authentication currently available. 


63.A user attempts to load a web-based application, but the expected login screen 
does not appear A help desk analyst troubleshoots the issue by running the following 
command and reviewing the output on the user's PC 
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P 
The help desk analyst then runs the same command on the local PRÍ 
Which of the following BEST describes the attack that is being defected? 
A. Domain hijacking RY 
B DNS poisoning Ka 
C MAC flooding ee 
B. Evil twin E 
Answer: B Ñ 
Explanation: <| 
DNS poisoning, also known as DNS spoofingor DNS cache poisoning, is a form of 
computer security hacking in which corrug#Domain Name System (DNS) data is 
introduced into the DNS resolver’s cache, causing the name server to return an 
incorrect result record, such as an IReaddress. This results in traffic being diverted to 
the attacker’s computer (or any oj#er malicious destination). 
DNS poisoning can be performed by various methods, such as: 
? Intercepting and forging DNS responses from legitimate servers 
? Compromising DNS sesvers and altering their records 
? Exploiting vulnerabiliffes in DNS protocols or implementations 
? Sending malicioysremails or links that trigger DNS queries with poisoned responses 
According to CopepTlA Security+ SYO-601 Exam Objectives 1.4 Given a scenario, 
analyze potentfal indicators to determine the type of attack: 
“DNS poisoning, also known as DNS spoofing or DNS cache poisoning, is a form of 
computer security hacking in which corrupt Domain Name System (DNS) data is 
introduced into the DNS resolver’s cache, causing the name server to return an 
incorrect result record.” 
References: 
httos://www.comptia.org/certifications/security#examdetails 
httos://www.comptia.org/content/guides/comptia-security-sy0-60 1-exam-objectives 
httos://www.cloudflare.com/learning/dns/dns-cache-poisoning/ 


64.An organization wants seamless authentication to its applications. 

Which of the following should the organization employ to meet this requirement? 
A. SOAP 

B. SAML 

C. SSO 

D. Kerberos 

Answer: C 

Explanation: 

Single Sign-On (SSO) is a mechanism that allows users to access multiple 
applications with a single set of login credentials. 


65.Certain users are reporting their accounts are being used to send unauthorized 


emails and conduct suspicious activities. 
After further investigation, a security analyst notices the followings 
e All users share workstations throughout the day. e 


4 
¢ Endpoint protection was disabled on several workstationgároughout the network. 


e Travel times on logins from the affected users are imposible. 
e Sensitive data is being uploaded to external sites. P 
e All user account passwords were forced to be resgt and the issue continued. 
Which of the following attacks is being used to cérmpromise the user accounts? 
A. Brute-force O 
B. Keylogger È 
C. Dictionary Ka 
D. Rainbow $Ú 
Answer: B x 
Explanation: oe 
The symptoms suggest a keyfogger is being used to compromise the user accounts, 
allowing the attackers to,dbtain the users' passwords and other sensitive information. 
3 
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66.A company's ptiblic-facing website, https://www.organization.com, has an IP 
address of 166% 8.75.6. However, over the past hour the SOC has received reports of 
the site's homepage displaying incorrect information. A quick nslookup search shows 
hitps://;www.organization.com is pointing to 151.191.122.115. 
Which of the following is occurring? 
A. DoS attack 
B. ARP poisoning 
C. DNS spoofing 
D. NXDOMAIN attack 
Answer: C 
Explanation: 
The issue is DNS spoofing, where the DNS resolution has been compromised and is 


pointing to a malicious IP address. 


67.A Chief Information Officer receives an email stating a database will be encrypted 
within 24 hours unless a payment of $20,000 is credited to the account mentioned In 
the email. 

This BEST describes a scenario related to: 

A. whaling. 

B. smishing. 

C. spear phishing 

D. vishing 

Answer: C 

Explanation: A 

The scenario of receiving an email stating a database will be encrypt unless a 


payment is made is an example of spear phishing. Re 


ry 
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68.An analyst Is generating a security report for the magaigement team. Security 
guidelines recommend disabling all listening unencrypted services. 


Given this output from Nmap: E 
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Which of the follogtg should the analyst recommend to disable? 
A. 21/tcp oC 

B. 22/tcp 

C. 23/tcp 

D. 443/tcp 

Answer: A 


69.Which of the following would be BEST for a technician to review to determine the 
total risk an organization can bear when assessing a "cloud-first" adoption strategy? 
A. Risk matrix 

B. Risk tolerance 


C. Risk register 

D. Risk appetite 

Answer: B 

Explanation: 

To determine the total risk an organization can bear, a technician should review the 
organization's risk tolerance, which is the amount of risk the organization is willing to 
accept. This information will help determine the organization's "cloud-first" adoption 
strategy. 


70.A help desk technician receives an email from the Chief Information Officer (C/O) 
asking for documents. The technician knows the CIO is on vacation for a few weeks. 
Which of the following should the technician do to validate the authentisity of the 


email? AS 
A. Check the metadata in the email header of the received path | reverse order to 
follow the email’s path. e 


4 
B. Hover the mouse over the CIO's email address to verify We email address. 
C. Look at the metadata in the email header and verify thé "From." line matches the 


CIO's email address. Pa 

D. Forward the email to the CIO and ask if the ClO;Sent the email requesting the 
documents. <| 

Answer: B O 

Explanation: > 


© 

The “From” line in the email header c $e easily spoofed or manipulated by an 
attacker to make it look like the emajkis coming from the CIO’s email address. 

l 0 
However, this does not mean thajðħe email address is actually valid or that the email 
is actually sent by the CIO. A better way to check the email address is to hover over it 
and see if it matches the CIOS email address exactly. This can help to spot any 
discrepancies or typos that might indicate a phishing attempt. For example, if the 
ClO’s email address istio@company.com, but when you hover over it, it shows 
cio@compnay.com,sthen you know that the email is not authentic and likely a 
phishing attempts? 


71.Which of the following is the MOST secure but LEAST expensive data destruction 
method for data that is stored on hard drives? 

A. Pulverizing 

B. Shredding 

C. Incinerating 

D. Degaussing 

Answer: B 

Explanation: 

Shredding may be the most secure and cost-effective way to destroy electronic data 


in any media that contain hard drives or solid-state drives and have reached their end- 
of-life1. Shredding reduces electronic devices to pieces no larger than 2 millimeters2. 
Therefore, shredding is the most secure but least expensive data destruction method 
for data that is stored on hard drives. 


72.A business is looking for a cloud service provider that offers a la carte services, 
including cloud backups, VM elasticity, and secure networking. 

Which of the following cloud service provider types should business engage? 

A. AlaaS 


B. PaaS 

C. XaaS 

D. SaaS E 
Answer: A g 
Explanation: Kà 


Infrastructure as a Service (laaS) providers offer a la carte sewites, including cloud 
backups, VM elasticity, and secure networking. With laaS , tisinesses can rent 
infrastructure components such as virtual machines, stardge, and networking from a 
cloud service provider. Pr 

O 
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73.A large enterprise has moved all its data tthe cloud behind strong authentication 
and encryption. A sales director recently had a laptop stolen, and later, enterprise 
data was found to have been compromised from a local database. 
Which of the following was the moe ikely cause? 
A. Shadow IT x 
B. Credential stuffing o 
C. SQL injection Poe 
D. Man in the browser „©&® 
E. Bluejacking a 

ó 

Answer: A ar 
Explanation: «$ 
The most likely cause of the enterprise data being compromised from a local 
database is Shadow IT. Shadow IT is the use of unauthorized applications or devices 
by employees to access company resources. In this case, the sales director's laptop 
was stolen, and the attacker was able to use it to access the local database, which 
was not secured properly, allowing unauthorized access to sensitive data. 


74.Which of the following BEST describes a technique that compensates researchers 
for finding vulnerabilities? 

A. Penetration testing 

B. Code review 


C. Wardriving 
D. Bug bounty 
Answer: D 
Explanation: 
A bug bounty is a technique that compensates researchers for finding vulnerabilities 
in software or systems. A bug bounty program is an initiative that offers rewards, 
usually monetary, to ethical hackers who report security flaws to the owners or 
developers of the software or system. Bug bounty programs are often used by 
companies such as Meta (formerly Facebook), Google, Microsoft, and others to 
improve the security of their products and services Bug bounty programs compensate 
researchers, often financially, for finding vulnerabilities in software, websites, or other 
technology. These programs provide an additional layer of security testing and 
incentivize researchers to report vulnerabilities instead of exploiting them. 
ve 
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75.After a phishing scam fora user's credentials, the red teamwas able to craft 
payload to deploy on a server. The attack allowed the instavation of malicious 


software that initiates a new remote session ee 
Which of the following types of attacks has occurred. 
A. Privilege escalation es 

B. Session replay <| 

C. Application programming interface ee 

D. Directory traversal È 

Answer: A Ka 

Explanation: $Ú 


"Privilege escalation is the act of eXploiting a bug, design flaw, or configuration 
oversight in an operating syste or software application to gain elevated access to 
resources that are normally, protected from an application or user." In this scenario, 
the red team was able tgdhstall malicious software, which would require elevated 
privileges to access ang install. Therefore, the type of attack that occurred is privilege 
escalation. ar 
& 
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76.A developer is building a new portal to deliver single-pane-of-glass management 
capabilities to customers with multiple firewalls. To Improve the user experience, the 
developer wants to implement an authentication and authorization standard that uses 
security tokens that contain assertions to pass user Information between nodes. 
Which of the following roles should the developer configure to meet these 
requirements? (Select TWO). 

A. Identity processor 

B. Service requestor 

C. Identity provider 

D. Service provider 


E. Tokenized resource 
F. Notarized referral 
Answer: C,D 
Explanation: 


An identity provider (IdP) is responsible for authenticating users and generating 
security tokens containing user information. A service provider (SP) is responsible for 
accepting security tokens and granting access to resources based on the user's 


identity. 


77.A security analyst has received several reports of an issue on an internal web 
application. Users state they are having to provide their credentials twice to log in. 
The analyst checks with the application team and notes this is not an l necied 


Type 
dynamic 
dynamic 
dynamic 
dynamic 
static 


behavior. ve 
After looking at several logs, the analyst decides to run some cogsmands on the 
gateway and obtains the following output: E 

& 
Internet address Physical address 
152.168 .i.4 £ff-ec-ab-00-aa-78 
292-200 Ae N ff-00-5e-48-00-fb 
192.168.1.8 00-0c-29-i1a-e7-fa 
192 ~ LOG ska LU fc-41-Se-48-00-ff 
224.215.54.47 au 
Which of the following BEST desgies the attack the company is experiencing? 
A. MAC flooding o 
B. URL redirection P 


C. ARP poisoning S 
D. DNS hijacking 4 

6 
Answer: C ar 
Explanation: <® 


The output of thie “netstat -ano” command shows that there are two connections to 
the same IP address and port number. This indicates that there are two active 


sessions between the client and server. 


The issue of users having to provide their credentials twice to log in is known as a 
double login prompt issue. This issue can occur due to various reasons such as 
incorrect configuration of authentication settings, incorrect configuration of web server 


settings, or issues with the client’s browser. 


Based on the output of the “netstat -ano” command, it is difficult to determine the 
exact cause of the issue. However, it is possible that an attacker is intercepting traffic 
between the client and server and stealing user credentials. This type of attack is 


known as C. ARP poisoning. 


ARP poisoning is a type of attack where an attacker sends fake ARP messages to 
associate their MAC address with the IP address of another device on the network. 
This allows them to intercept traffic between the two devices and steal sensitive 
information such as user credentials. 


78.A dynamic application vulnerability scan identified code injection could be 
performed using a web form. 

Which of the following will be BEST remediation to prevent this vulnerability? 
A. Implement input validations 

B. Deploy MFA 

C. Utilize a WAF 

D. Configure HIPS F- 

Answer: A s 

Explanation: we 

Implementing input validations will prevent code injection attagks by verifying the type 
and format of user input. oe 


PG 
79.Which of the following roles would MOST likely save direct access to the senior 
management team? eo 

A. Data custodian g 
B. Data owner > 
C. Data protection officer a 

D. Data controller $ 
Answer: C A 
Explanation: o 
A data protection officer (DPS) is a role that oversees the data protection strategy 
and compliance of an orgénization. A DPO is responsible for ensuring that the 
organization follows data protection laws and regulations, such as the General Data 
Protection Regulatién (GDPR), and protects the privacy rights of data subjects. A 
DPO also acts asa liaison between the organization and data protection authorities, 
as well as dataSubjects and other stakeholders. 

A DPO would most likely have direct access to the senior management team, as they 
need to report on data protection issues, risks, and incidents, and advise on data 
protection policies and practices. 

The other options are not correct because: 

A. Data custodian is a role that implements and maintains the technical controls and 
procedures for data security and integrity. A data custodian does not have direct 
access to the senior management team, as they are more involved in operational 
tasks than strategic decisions. 

B. Data owner is a role that determines the classification and usage of data within an 
organization. A data owner does not have direct access to the senior management 


team, as they are more involved in business functions than data protection 
compliance. 

D. Data controller is a role that determines the purposes and means of processing 
personal data within an organization. A data controller does not have direct access to 
the senior management team, as they are more involved in data processing activities 
than data protection oversight. 

According to CompTIA Security+ SY0-601 Exam Objectives 2.3 Given a scenario, 
implement secure protocols: 

“A data protection officer (DPO) is a role that oversees the data protection strategy 
and compliance of an organization.” 

References: 

httos://www.comptia.org/certifications/security#examdetails 
httos://www.comptia.org/content/guides/comptia-security-sy0-601- Be a objectives 
https://gdpr-info.eu/issues/data-protection-officer/ 


80.A security analyst is investigating multiple hosts that areéommunicating to 
external IP addresses during the hours of 2:00 a.m - 4:0@%am. The malware has 
evaded detection by traditional antivirus software. S 

Which of the following types of malware is MOST likely infecting the hosts? 

A. A RAT <| 

B. Ransomware 9 
C. Polymophic > 
D. A worm a 
Answer: A a 
Explanation: Z 
Based on the given informationsthe most likely type of malware infecting the hosts is 
a RAT (Remote Access Troja). RATs are often used for stealthy unauthorized 
access to a victim's compòôter, and they can evade traditional antivirus software 
through various sophisficated techniques. In particular, the fact that the malware is 
communicating withyexternal IP addresses during specific hours suggests that it may 
be under the control of an attacker who is issuing commands from a remote location. 
Ransomware, folymorphic malware, and worms are also possible culprits, but the 
context of the question suggests that a RAT is the most likely answer. 


81.A security analyst reviews a company’s authentication logs and notices multiple 
authentication failures. The authentication failures are from different usernames that 
share the same source IP address. 

Which of the password attacks is MOST likely happening? 

A. Dictionary 

B. Rainbow table 

C. Spraying 


D. Brute-force 

Answer: C 

Explanation: 

Detailed Explanation: 

Password spraying is an attack where an attacker tries a small number of commonly 
used passwords against a large number of usernames. The goal of password 
spraying is to avoid detection by avoiding too many failed login attempts for any one 
user account. The fact that different usernames are being attacked from the same IP 
address is a strong indication that a password spraying attack is underway. 


82.A security assessment found that several embedded systems are running 
unsecure protocols. These Systems were purchased two years ago ang the company 
that developed them is no longer in business. A 

Which of the following constraints BEST describes the reason thesindings cannot be 
remediated? a 

A. inability to authenticate Ca 

B. Implied trust s 

C. Lack of computing power 
D. Unavailable patch P 
Answer: D <| 
Explanation: O 
If the systems are running unsecure protagdis and the company that developed them 
is no longer in business, it is likely that,gRere are no patches available to remediate 
the issue. 


83.An employee's company@écount was used in a data breach Interviews with the 
employee revealed: Ss 

e The employee was able to avoid changing passwords by using a previous password 
again. ar 

e The account was’ accessed from a hostile, foreign nation, but the employee has 
never traveled to any other countries. 

Which of the following can be implemented to prevent these issues from reoccuring? 
(Select TWO) 

A. Geographic dispersal 

B. Password complexity 

C. Password history 

D. Geotagging 

E. Password lockout 

F. Geofencing 

Answer: C,F 

Explanation: 


two possible solutions that can be implemented to prevent these issues from 
reoccurring are password history and geofencing12. Password history is a feature 
that prevents users from reusing their previous passwords1. This can enhance 
password security by forcing users to create new and unique passwords periodically1. 
Password history can be configured by setting a policy that specifies how many 
previous passwords are remembered and how often users must change their 
passwords]. 

Geofencing is a feature that restricts access to a system or network based on the 
geographic location of the user or device2. This can enhance security by preventing 
unauthorized access from hostile or foreign regions2. Geofencing can be 
implemented by using GPS, IP address, or other methods to determine the location of 
the user or device and compare it with a predefined set of boundaries2. 


yf 
84.Which of the following provides a catalog of security and privasy controls related to 
the United States federal information systems? al 
A. GDPR Ca 
B. PCI DSS ee 
C. ISO 27000 Pr 
D. NIST 800-53 eo 
Answer: D r 
Explanation: 9 


NIST 800-53 provides a catalog of securityeand privacy controls related to the United 
States federal information systems. : Ahitecture and Design, pp. 123-125 
vd 
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85.A security analyst is responding to an alert from the SIEM. The alert states that 
malware was discovered op host and was not automatically deleted. 

Which of the following wgòld be BEST for the analyst to perform? 

A. Add a deny-all rules that host in the network ACL 

B. Implement a nejwWork-wide scan for other instances of the malware. 

C. Quarantine the‘host from other parts of the network 

D. Revoke the Glient's network access certificates 

Answer: C 

Explanation: 

When malware is discovered on a host, the best course of action is to quarantine the 
host from other parts of the network. This prevents the malware from spreading and 
potentially infecting other hosts. Adding a deny-all rule to the host in the network ACL 
may prevent legitimate traffic from being processed, implementing a network-wide 
scan is time-consuming and may not be necessary, and revoking the client's network 
access certificates is an extreme measure that may not be warranted. 


86.A security analyst wants to verify that a client-server (non-web) application is 
sending encrypted traffic. 

Which of the following should the analyst use? 

A. openssl 

B. hping 

C. netcat 

D. tcpdump 

Answer: A 

Explanation: 

To verify that a client-server (non-web) application is sending encrypted traffic, a 
security analyst can use OpenSSL. OpenSSL is a software library that provides 
cryptographic functions, including encryption and decryption, in support of various 
security protocols, including SSL/TLS. It can be used to check whethegsa client-server 
application is using encryption to protect traffic. Re 
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87.Which of the following involves the inclusion of code in tee main codebase as soon 
as it is written? ve 
A. Continuous monitoring 
B. Continuous deployment 
C. Continuous Validation eo 
D. Continuous integration g 
Answer: D > 
Explanation: Ka 
Continuous Integration (Cl) is a practice where developers integrate code into a 
shared repository frequently, prefgrably several times a day. Each integration is 
verified by an automated build_atid automated tests. Cl allows for the detection of 
errors early in the develop t cycle, thereby reducing overall development costs. 
S 
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88.A company woylet Tike to set up a Secure way to transfer data between users via 
their mobile phopés The company's top pnonty is utilizing technology that requires 
users to be in a close proximity as possible to each other. 
Which of the following connection methods would BEST fulfill this need? 
A. Cellular 
B. NFC 
C. Wi-Fi 
D. Bluetooth 
Answer: B 
Explanation: 
NFC allows two devices to communicate with each other when they are in close 
proximity to each other, typically within 5 centimetres. This makes it the most secure 
connection method for the company's data transfer requirements. 


89.An organization wants to integrate its incident response processes into a workflow 
with automated decision points and actions based on predefined playbooks. 

Which of the following should the organization implement? 

A. SIEM 

B. SOAR 

C. EDR 

D. CASB 

Answer: B 

Explanation: 

Security Orchestration, Automation, and Response (SOAR) should be implemented to 
integrate incident response processes into a workflow with automated Lslecision points 


and actions based on predefined playbooks. $ 
S 
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90.A security researcher has alerted an organization that itsSensitive user data was 
found for sale on a website. ee 
Which of the following should the organization use taeform the affected parties? 
A. An incident response plan es 
B. A communications plan <| 
C. A business continuity plan O 
D. A disaster recovery plan È 
Answer: B Ka 
Explanation: Ñ 


A communications plan should besed to inform the affected parties about the sale of 
sensitive user data on a website The communications plan should detail how the 
organization will handle mega | inquiries, how to communicate with customers, and 
how to respond to other isterested parties. 
3 
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91.The spread offhisinformation surrounding the outbreak of a novel virus on election 
day led to eligible voters choosing not to take the risk of going the polls. 
This is an example of: 
A. prepending. 
B. an influence campaign. 
C. a watering-hole attack. 
D. intimidation. 
E. information elicitation. 
Answer: B 
Explanation: 
This scenario describes an influence campaign, where false information is spread to 
influence or manipulate people's beliefs or actions. In this case, the misinformation led 


eligible voters to avoid polling places, which influenced the outcome of the election. 


92.Which of the following authentication methods is considered to be the LEAST 
secure? 

A. TOTP 

B. SMS 

C. HOTP 

D. Token key 

Answer: B 

Explanation: 

SMS-based authentication is considered to be the least secure among the given 
options. This is because SMS messages can be intercepted or redirected by 
attackers through techniques such as SIM swapping, man-in-the- igile attacks, or 
exploiting weaknesses in the SS7 protocol used by mobile netwarks. Additionally, 
SMS messages can be compromised if a user's phone is lost, stolen, or infected with 
malware. In contrast, TOTP (Time-based One-Time Password), HOTP (HMAC-based 
One-Time Password), and token keys are more secure aé they rely on cryptographic 
algorithms or physical devices to generate one-time yse codes, which are less 
susceptible to interception or unauthorized access as 

ee 
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93.A backdoor was detected on the contajsterized application environment. The 


investigation detected that a zero-day aifnerability was introduced when the latest 
container image version was downlo ed from a public registry. 

Which of the following is the BES; solution to prevent this type of incident from 
occurring again? o 

A. Enforce the use of a co sled trusted source of container images 

B. Deploy an IPS solutiog capable of detecting signatures of attacks targeting 
containers ao 

C. Define a vulnerability scan to assess container images before being introduced on 
the environment gs 

D. Create a dețicated VPC for the containerized environment 

Answer: A 

Explanation: 

Enforcing the use of a controlled trusted source of container images is the best 
solution to prevent incidents like the introduction of a zero-day vulnerability through 
container images from occurring again. 


94.During a Chief Information Security Officer (CISO) convention to discuss security 
awareness, the attendees are provided with a network connection to use as a 
resource. As the convention progresses, one of the attendees starts to notice delays 


in the connection, and the HIIPS site requests are reverting to HTTP. 
Which of the following BEST describes what is happening? 
A. Birthday collision on the certificate key 
B. DNS hijacking to reroute traffic 
C. Brute force to the access point 
D. ASSLILS downgrade 
Answer: B 
Explanation: 
The attendee is experiencing delays in the connection, and the HIIPS site requests 
are reverting to HTTP, indicating that the DNS resolution is redirecting the connection 
to another server. DNS hijacking is a technique that involves redirecting a user’s 
requests for a domain name to a different IP address. Attackers use DNS hijacking to 
redirect users to malicious websites and steal sensitive information, sysh as login 
credentials and credit card details. Re 
Reference: https://www.cloudflare.com/learning/dns/dns-hijackingf 
ou 
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95.A security analyst notices several attacks are being gldcked by the NIPS but does 
not see anything on the boundary firewall logs. The atidick seems to have been 
thwarted. K 
Which of the following resiliency techniques wagpplied to the network to prevent this 
attack? O 
A. NIC Teaming È 
B. Port mirroring oF 
C. Defense in depth Se 
D. High availability x 
E. Geographic dispersal o 
Answer: C P 
Explanation: S 
Defense in depth is a s8siliency technique that involves implementing multiple layers 
of security controlgdo protect against different types of threats. In this scenario, the 
NIPS likely provided protection at a different layer than the boundary firewall, 
demonstrating the effectiveness of defense in depth. 


96.During a forensic investigation, a security analyst discovered that the following 
command was run on a compromised host: 


~ ~ per = -m 9 E“ 3 P t lara’ -e 4 -ot iad d bo Ag .s So ae asg 
TaCKTaADOCXCC SMP 2456-405 - sv - eve - + ~-828202.N n Veaeuwe oo ee An h Po ST 


Which of the following attacks occurred? 
A. Buffer overflow 
B. Pass the hash 


C. SQL injection 

D. Replay attack 

Answer: B 

Explanation: 

Pass the hash is an attack technique that allows an attacker to authenticate to a 
remote server or service by using the hashed version of a user’s password, rather 
than requiring the plaintext password 


97.A security analyst has been tasked with creating a new WiFi network for the 
company. 
The requirements received by the analyst are as follows: 


e Must be able to differentiate between users connected to WiFi A 

e The encryption keys need to change routinely without interruptinge users or 
forcing reauthentication oe 

e Must be able to integrate with RADIUS ar 

e Must not have any open SSIDs ra 


Which of the following options BEST accommodates thes® requirements? 
A. WPA2-Enterprise 7 
B. WPA3-PSK a 
C. 802.11n <| 
D. WPS g 
Answer: A > 
Explanation: Ka 
WPA2-Enterprise can accommodate of the requirements listed. WPA2-Enterprise 
uses 802.1X authentication to differentiate between users, supports the use of 
RADIUS for authentication, an@Allows for the use of dynamic encryption keys that 
can be changed without dignapting the users or requiring reauthentication. 
Additionally, WPA2-Entesprise does not allow for open SSIDs. 
References: CompTlASecurity+ Study Guide: Exam SY0-601, Chapter 7: Securing 
Networks, p. 317 ar 
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98.Which of the following environments utilizes dummy data and is MOST likely to be 
installed locally on a system that allows code to be assessed directly and modified 
easily with each build? 
A. Production 
B. Test 
C. Staging 
D. Development 
Answer: D 
Explanation: 
A development environment is the environment that is used to develop and test 


software. It is typically installed locally on a system that allows code to be assessed 
directly and modified easily with each build. In this environment, dummy data is often 
utilized to test the software's functionality. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture 
and Design 


99.Per company security policy, IT staff members are required to have separate 
credentials to perform administrative functions using just-in-time permissions. 
Which of the following solutions is the company Implementing? 

A. Privileged access management 

B. SSO 

C. RADIUS F- 

D. Attribute-based access control ve 

Answer: A aS 

Explanation: 
The company is implementing privileged access managemett, which provides just-in- 


time permissions for administrative functions. Kà 
rd 
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100.A company is concerned about individuals s dfivmg a car into the building to gam 
access. K 
Which of the following security controls wed work BEST to prevent this from 
happening? 
A. Bollard a 
B. Camera P 
C. Alarms o 
D. Signage oad 
E. Access control vestibyie 
Answer: A sf 
Explanation: V 
A bollard would work best to prevent individuals from driving a car into the building. A 
bollard is a shdftt, vertical post that can be used to block vehicles from entering a 
designated area. It is specifically designed to stop cars from crashing into buildings or 
other structures. 
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